An inside look at building Private Cloud for InVision Enterprise

We love our customers and our customers love us — and we love providing the best digital product design tools you’ve
ever seen, for you to do the best design work of your life. So today, as we announce our Private Cloud offering,
Engineering wanted to tell you about the technical bits behind it.

Back in the good old days, all software ran on your own computers; for enterprises, this meant having your own machines
in your own data center, having operators in the IT department who installed, ran, and monitored the hardware and
software protecting your company’s data.

Then, back in the 2000s, SaaS software started showing up. SaaS brings all kinds of advantages to both users and
engineers, including easier management and monitoring – plus the fact it is continuously improving, staying at the
cutting edge of design tooling.

But there are pluses and minuses to SaaS, just as there are to on-premise software, so a few innovative SaaS companies
(like us!) have started offering a hybrid approach: a private version of their software, just for you, but operated by
the vendor.

This Private Cloud has the advantages of SaaS – up-to-date software and no worries about operating the software – and
the advantages of on-prem – your IT department controlling the systems to corporate standards, and having access to the
application logs for auditing and other purposes.

In a larger organization, the IT department keeps everyone safe and secure. The number of daily attacks, and attack
vectors, is mind boggling – so it really is important to have an IT department that supports and monitors your systems,
SaaS or not.

In short, we created Private Cloud to make your IT department’s jobs easier. Unless you’re an IT person, you won’t even
notice you are using a Private Cloud because the InVision Private Cloud has all the same features as our InVision
Enterprise product – all the same user features and all the same security – but with added control and monitoring.

Private Cloud runs on dedicated hardware[1] to provide additional controls to your IT department. It includes the same
SSO, in-transit encryption, on-disk encryption, and DDOS and WAF protection that our Enterprise product does. But
because Private Cloud runs on dedicated hardware, it has a silo’ed application stack and dedicated databases, i.e.,
it’s a single-tenant system rather than a multi-tenant SaaS system, and thus it has additional control and monitoring
features.

One of those features is direct access to the application and infrastructure logs for the IT department to use for
conformance audits, monitoring for external attacks, and more. Another of those features is allowing the IT department
to control blackout periods. Like any SaaS company, we continuously update and improve InVision, often dozens of times
a day, and you never notice. But if you would like to stop those updates for a blackout period – such as Intuit does
for tax season, or Amazon does for holiday shopping – the IT department can set that up.

Technically, as engineers, Private Cloud was a lot of fun to build. It’s all automated behind the scenes, so we can run
hundreds of private clouds just as easily as we can run one. Our first step was to abstract out certain hard-coded
implementation details into parameters (mostly as environment variables that can be set differently for each cloud).
We built an administrative interface for your IT department to get access to the logs, etc.

Then we built a new deployment pipeline that is driven by our database of Private Clouds so that the pipeline deploys
to all the clouds instead of just one. Our deploys are completely chatbot driven through Rosie, our operations bot, so
we just tell Rosie to “deploy service X” and she handles the whole pipeline, deploying service X to our
multi‑tenant SaaS site, and to each of the Private Clouds.

Lastly, and probably the most interesting piece of the technical work: our scripted system for creating new Private
Clouds. This tool automatically performs all the steps necessary to provision and configure a new Private Cloud. Some
of the steps use existing software (e.g. Terraform for provisioning EC2, RDS and S3), some steps use APIs (e.g. setting
up new Kubernetes pods, creating a new MongoDB cluster, setting monitoring with our third-party vendor, etc), and some
steps even required a custom procmail-style email send-receive process so that we could automate processes that can
only be done by email (such as getting new SSL certificates for the new sub-domain).

The net result of all this work is that our systems, untouched by human hands, can set up a new Private Cloud for you
in just a few minutes. And our development engineers can continue to build and deploy innovative digital product design
tools for you without having to think about how many Private Clouds we have. You get the features you need, today. Your
IT department gets the auditing and control it needs, today. And our engineers get to focus on our great products
instead of the details of the infrastructure.

We’re darn proud of InVision Private Cloud, and we hope you enjoy it as much as we’ve enjoyed building it for you!

[1] Of course everything these days runs on virtual machines and Docker images, so what I really mean is “dedicated
virtual machines and Docker images”.